Instant messaging (IM) is a popular method of communication over the Internet. IM offers several features that other means of communication over the Internet (e.g., e-mails) do not offer. For instance, IM allows “real-time” communication between users. Also, IM users can see whether friends or co-workers are present to participate in dialogs. Owing to these and other features, the number of users actively using IM has grown to substantial levels for both personal and professional uses. For personal uses, America On Line (AOL), Microsoft Network (MSN), Yahoo!, ICQ, and others provide IM services. Some of these services are free of charge (i.e., public IM services), and some charge subscriptions (i.e., hosted IM services). For professional uses, corporations, e.g., International Business Machines (IBM), offer enterprise IM servers that can be installed on enterprise premises and can offer IM services to authorized users within the enterprise.
As shown in FIG. 1, a typical IM system includes an IM server 103 and many IM clients 101, 105. IM clients are computer programs that can be installed and executed on host computers. The IM server 103 is operated by an IM service provider, which can be a hosted, public, or enterprise IM service provider. A more comprehensive description of a conventional IM system is provided in U.S. Application, Publication Number 20040088546, entitled “System and method for add-on services, secondary authentication, authorization and/or secure communication for dialog based protocols and systems,” which is incorporated herein by reference in its entirety.
All users who sign up for IM services are given unique identifiers, which can be a combination of characters and numbers (hereinafter the “account names”). Users can publicize their account names to other users with whom they wish to communicate. The list of the account names with which a user wishes to communicate using IM is referred to as a “Buddy List” in AOL Instance Messenger and Yahoo! Messenger, and a “Contact List” in MSN Messenger and ICQ. Hereafter, the term “buddy list” refers to the “Buddy List,” “Contact List,” or other similar lists.
In operation, the IM client 101 creates a communication connection (e.g., a TCP connection) with the IM server 103. Once a connection is established between the IM server 103 and the IM client 101, the connection is “permanent”, and IM protocol packets are exchanged between the IM client 101 and the IM server 103. The IM protocol packets include:                1. Logon—These packets contain the account name of the user wishing to logon to the IM server 103 and a password (typically encrypted) that the IM server 103 can use to authenticate the user's identity.        2. Status—These packets allow the logged-on user to publish a status, for example: ready to receive messages, temporarily busy to respond, not present to receive messages, etc. The status information is published to other users of the IM server 103 who are potentially interested in communicating with the user.        3. Buddy Lists—These packets contain names of other users (“buddies”) with whom the user is interested in communicating. These packets can also show the status of the buddies.        4. Messages—These packets contain messages. When the user communicates with a buddy, message packets are sent from the IM client 101 over the TCP connection. The IM server 103 then “pushes” the message packets to the IM client of the buddy.        
Two unique characteristics of IM:                1. IM clients have permanent TCP connections to IM servers. The collection of IM clients and their IM servers constitutes a “fully” connected network.        2. IM is characterized by “pushing” messages to the recipient (i.e., IM clients). In other words, when a user (i.e., logged-on at an IM client) sends a message to a buddy, the message is automatically delivered to the buddy (i.e., another IM client) over a TCP connection it already had established. This contrasts to other means of communication such as world-wide-web and email, where all content is pulled.        
As with other means of communication over the Internet, IM is vulnerable to attacks by “malware” programs. Here, malware refers to, without limitation, viruses, worms, SPIMs (i.e., SPAMs for IM), Trojan horses, spy ware, malcode, etc. Malware also refers to messages that contain any references (e.g., pointers or URLs) to any of the malware just listed.
Malware can “infect” computers (e.g., turning computers into sources of malware, corrupting storages devices of computers, etc.) that host IM clients in a variety of ways. For instance, malware can take the advantage of the “fully” connected and “pushing” messages characteristics of IM by sending messages from one user's host computer to host computers of the buddies. This spreading process can be repeated when the malware arrives at each of the host computers of the buddies. In this way, malware can rapidly propagate and penetrate a large number of computers. Theoretically, malware can spread to 10 million host computers in 2 hours at a very conservative rate of propagation. Conventional security systems (e.g., firewalls, virus detectors, etc.) do not address this and other types of new threats posed by malware on IM.